Getting ready
In general, a display filter string takes the form of a series of primitive expressions connected by conjunctions (and|or and so on) and optionally preceded by not:
[not] Expression [and|or] [not] Expression...
While:
- Expression can be any filter expression such as ip.src==192.168.1.1 (for source address), tcp.flags.syn==1 for TCP sync flag presence, tcp.analysis.retransmission for TCP retransmissions, and so on
- and|or are conjunctions that can be used in any combination of expressions, including brackets, multiple brackets, and any length of string
The conditions can be one of the following:
C-like syntax |
Shortcut |
Description |
Example |
== |
eq |
Equal |
ip.addr == 192.168.1.1 or ip.addr eq 192.168.1.1 |
!= |
ne |
Not equal |
!ip.addr==192.168.1.1 or ip.addr != 192.168.1.1 or ip.addr ne 192.168.1.1 |
> |
gt |
Greater than |
frame.len > 64 |
< |
lt |
Less than |
frame.len < 1500 |
>= |
ge |
Greater than or equal to |
frame.len >= 64 |
<= |
le |
Less than or equal to |
frame.len <= 1500 |
Is present |
A parameter is present |
http.response |
|
contains |
Contains a string |
http.host contains cisco |
|
matches |
A string matches the condition |
http.host matches www.cisco.com |
You can insert a space character between parameter operators or leave it without spaces.
Operators can be as follows:
C-like syntax |
Shortcut |
Description |
Example |
&& |
and |
Logical AND |
ip.src==10.0.0.1 and tcp.flags.syn==1 all SYN flags sent from IP address 10.0.0.1 practically—all connections opened (or tried to be opened) from 10.0.0.1 |
|| |
or |
Logical OR |
ip.addr==10.0.0.1 or ip.addr==10.0.02 all packets going in or out the two IP addresses |
! |
not |
Logical NOT |
not arp and not icmp all packets that are neither ARP nor ICMP packets |